saas fixes

Author: bhillkeyfactor

AcmeCaPlugin/AcmeCaPluginConfig.cs

@@ -60,6 +60,13 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     DefaultValue = "",
                     Type = "String"
                 },
+                ["Google_ServiceAccountKeyJson"] = new PropertyConfigInfo()
+                {
+                    Comments = "Google Cloud DNS: Service account JSON key content (alternative to file path for containerized deployments)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
+                },
                 ["Google_ProjectId"] = new PropertyConfigInfo()
                 {
                     Comments = "Google Cloud DNS: Project ID only if using Google DNS (Optional)",
@@ -68,6 +75,15 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     Type = "String"
                 },
 
+                // Container Deployment
+                ["AccountStoragePath"] = new PropertyConfigInfo()
+                {
+                    Comments = "Path for ACME account storage. Defaults to %APPDATA%\\AcmeAccounts on Windows or ./AcmeAccounts in containers.",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+
                 // Cloudflare DNS
                 ["Cloudflare_ApiToken"] = new PropertyConfigInfo()
                 {

AcmeCaPlugin/AcmeClientConfig.cs

@@ -15,6 +15,7 @@ public class AcmeClientConfig
 
         // Google Cloud DNS
         public string Google_ServiceAccountKeyPath { get; set; } = null;
+        public string Google_ServiceAccountKeyJson { get; set; } = null;
         public string Google_ProjectId { get; set; } = null;
 
         // Cloudflare DNS
@@ -34,5 +35,8 @@ public class AcmeClientConfig
         //IBM NS1 DNS Ns1_ApiKey
         public string Ns1_ApiKey { get; set; } = null;
 
+        // Container Deployment Support
+        public string AccountStoragePath { get; set; } = null;
+
     }
 }

AcmeCaPlugin/Clients/Acme/AccountManager.cs

@@ -39,13 +39,32 @@ class AccountManager
 
         #region Constructor
 
-        public AccountManager(ILogger log, string passphrase = null)
+        public AccountManager(ILogger log, string passphrase = null, string storagePath = null)
         {
             _log = log;
             _passphrase = passphrase;
-            _basePath = Path.Combine(
-                Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData),
-                "AcmeAccounts");
+
+            if (!string.IsNullOrWhiteSpace(storagePath))
+            {
+                // Use the explicitly configured path
+                _basePath = storagePath;
+            }
+            else
+            {
+                // Default: Use platform-appropriate path
+                var appDataPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
+                if (string.IsNullOrEmpty(appDataPath))
+                {
+                    // In containers, APPDATA may not be set; use current directory
+                    _basePath = Path.Combine(Directory.GetCurrentDirectory(), "AcmeAccounts");
+                }
+                else
+                {
+                    _basePath = Path.Combine(appDataPath, "AcmeAccounts");
+                }
+            }
+
+            _log.LogDebug("Account storage path configured: {BasePath}", _basePath);
         }
 
         #endregion

AcmeCaPlugin/Clients/Acme/AcmeClientManager.cs

@@ -65,7 +65,7 @@ public AcmeClientManager(ILogger log, AcmeClientConfig config, HttpClient httpCl
             _email = config.Email;
             _eabKid = config.EabKid;
             _eabHmac = config.EabHmacKey;
-            _accountManager = new AccountManager(log,config.SignerEncryptionPhrase);
+            _accountManager = new AccountManager(log, config.SignerEncryptionPhrase, config.AccountStoragePath);
 
             _log.LogDebug("AcmeClientManager initialized for directory: {DirectoryUrl}", _directoryUrl);
         }

AcmeCaPlugin/Clients/DNS/DnsProviderFactory.cs

@@ -15,6 +15,7 @@ public static IDnsProvider Create(AcmeClientConfig config, ILogger logger)
                 case "google":
                     return new GoogleDnsProvider(
                         config.Google_ServiceAccountKeyPath,
+                        config.Google_ServiceAccountKeyJson,
                         config.Google_ProjectId
                     );
 

AcmeCaPlugin/Clients/DNS/GoogleDnsProvider.cs

@@ -9,7 +9,7 @@
 
 /// <summary>
 /// Google Cloud DNS provider implementation for managing DNS TXT records.
-/// Supports explicit Service Account key or Workload Identity (Application Default Credentials).
+/// Supports explicit Service Account key (file or JSON), or Workload Identity (Application Default Credentials).
 /// </summary>
 public class GoogleDnsProvider : IDnsProvider
 {
@@ -18,19 +18,26 @@ public class GoogleDnsProvider : IDnsProvider
 
     /// <summary>
     /// Initializes a new instance of the GoogleDnsProvider class.
-    /// If serviceAccountKeyPath is null or empty, uses Application Default Credentials.
+    /// Credential resolution order: JSON key > File path > Application Default Credentials.
     /// </summary>
     /// <param name="serviceAccountKeyPath">Path to the Service Account JSON key file (optional)</param>
+    /// <param name="serviceAccountKeyJson">Service Account JSON key as a string (optional, for containerized deployments)</param>
     /// <param name="projectId">Google Cloud project ID containing the DNS zones</param>
-    public GoogleDnsProvider(string? serviceAccountKeyPath, string projectId)
+    public GoogleDnsProvider(string? serviceAccountKeyPath, string? serviceAccountKeyJson, string projectId)
     {
         _projectId = projectId;
 
         GoogleCredential credential;
 
-        if (!string.IsNullOrWhiteSpace(serviceAccountKeyPath))
+        if (!string.IsNullOrWhiteSpace(serviceAccountKeyJson))
         {
-            Console.WriteLine("✅ Using explicit Service Account JSON key.");
+            // JSON key provided directly (for container deployments)
+            Console.WriteLine("✅ Using Service Account JSON key from configuration.");
+            credential = GoogleCredential.FromJson(serviceAccountKeyJson);
+        }
+        else if (!string.IsNullOrWhiteSpace(serviceAccountKeyPath))
+        {
+            Console.WriteLine("✅ Using Service Account JSON key from file.");
             credential = GoogleCredential.FromFile(serviceAccountKeyPath);
         }
         else

docsource/configuration.md

@@ -65,7 +65,7 @@ This plugin automates DNS-01 challenges using pluggable DNS provider implementat
 
 | Provider     | Auth Methods Supported                        | Config Keys Required                                  |
 |--------------|-----------------------------------------------|--------------------------------------------------------|
-| Google DNS   | Service Account Key or ADC                    | `Google_ServiceAccountKeyPath`, `Google_ProjectId`     |
+| Google DNS   | Service Account Key (file or JSON), or ADC    | `Google_ServiceAccountKeyPath`, `Google_ServiceAccountKeyJson`, `Google_ProjectId` |
 | AWS Route 53 | Access Key/Secret or IAM Role                 | `AwsRoute53_AccessKey`, `AwsRoute53_SecretKey`         |
 | Azure DNS    | Client Secret or Managed Identity             | `Azure_TenantId`, `Azure_ClientId`, `Azure_ClientSecret`, `Azure_SubscriptionId` |
 | Cloudflare   | API Token                                     | `Cloudflare_ApiToken`                                  |
@@ -87,8 +87,9 @@ This logic is handled by the `DnsVerificationHelper` class and ensures a high-co
 
 Each provider supports multiple credential strategies:
 
-- **Google DNS**:  
-  - ✅ **Service Account Key** (via `Google_ServiceAccountKeyPath`)  
+- **Google DNS**:
+  - ✅ **Service Account Key File** (via `Google_ServiceAccountKeyPath`)
+  - ✅ **Service Account Key JSON** (via `Google_ServiceAccountKeyJson` - paste JSON directly)
   - ✅ **Application Default Credentials** (e.g., GCP Workload Identity or developer auth)
 
 - **AWS Route 53**:  
@@ -229,12 +230,17 @@ This ACME Gateway implementation uses a local file-based store to persist ACME a
 <details>
 <summary><strong>📁 Account Directory Structure</strong></summary>
 
-Each account is saved in its own directory within:
+Each account is saved in its own directory within the configured storage path:
 
 ```
-%APPDATA%\AcmeAccounts\{host}_{accountId}
+{AccountStoragePath}\{host}_{accountId}
 ```
 
+**Default paths:**
+- **Windows:** `%APPDATA%\AcmeAccounts\{host}_{accountId}`
+- **Containers (when APPDATA unavailable):** `./AcmeAccounts\{host}_{accountId}`
+- **Custom:** Set `AccountStoragePath` in the Gateway configuration
+
 Where:
 - `{host}` is the ACME directory host with dots replaced by dashes (e.g., `acme-zerossl-com`)
 - `{accountId}` is the final segment of the account's KID URL
@@ -344,10 +350,10 @@ This section outlines all required ports, file access, permissions, and validati
 
 | Path                                               | Purpose                                      |
 |----------------------------------------------------|----------------------------------------------|
-| `%APPDATA%\AcmeAccounts\`                        | Default base path for ACME account storage   |
-| `AcmeAccounts\{account_id}\Registration_v2`      | Contains serialized ACME account metadata    |
-| `AcmeAccounts\{account_id}\Signer_v2`            | Contains the encrypted private signer key    |
-| `AcmeAccounts\default_{host}.txt`                 | Stores the default account pointer for a given directory |
+| `%APPDATA%\AcmeAccounts\` or `AccountStoragePath`  | Base path for ACME account storage (configurable) |
+| `{base}\{account_id}\Registration_v2`              | Contains serialized ACME account metadata    |
+| `{base}\{account_id}\Signer_v2`                    | Contains the encrypted private signer key    |
+| `{base}\default_{host}.txt`                        | Stores the default account pointer for a given directory |
 
 #### File Access & Permissions
 
@@ -357,7 +363,8 @@ This section outlines all required ports, file access, permissions, and validati
 | Account files            | Read/Write| `Read`, `Write`     |
 
 - Files may be optionally encrypted using AES if a passphrase is configured.
-- Ensure the service account under which the orchestrator runs has read/write access to `%APPDATA%` or the custom configured base path.
+- Ensure the service account under which the orchestrator runs has read/write access to the configured base path.
+- For containers, mount a persistent volume to the `AccountStoragePath` to preserve accounts across restarts.
 
 </details>
 
@@ -384,6 +391,61 @@ This section outlines all required ports, file access, permissions, and validati
 
 </details>
 
+---
+
+### Container Deployment
+
+This section covers configuration options specific to containerized deployments (Docker, Kubernetes, etc.).
+
+<details>
+<summary><strong>📁 Configurable Account Storage Path</strong></summary>
+
+By default, the plugin stores ACME accounts in `%APPDATA%\AcmeAccounts` on Windows. In containerized environments, use the `AccountStoragePath` configuration option:
+
+| Environment | Recommended Path |
+|-------------|------------------|
+| Docker/Kubernetes | `/data/AcmeAccounts` (mounted volume) |
+| Windows Container | `C:\AcmeData\AcmeAccounts` |
+
+If `AccountStoragePath` is not set and `%APPDATA%` is unavailable, the plugin defaults to `./AcmeAccounts` relative to the working directory.
+
+</details>
+
+<details>
+<summary><strong>🌐 Google Cloud DNS in Containers</strong></summary>
+
+For Google Cloud DNS in container environments, you have three authentication options:
+
+1. **Workload Identity (GKE)**: No explicit credentials needed; uses pod identity.
+2. **JSON key in config**: Paste the service account JSON directly into `Google_ServiceAccountKeyJson`.
+3. **Mounted JSON file**: Mount the service account key file and set `Google_ServiceAccountKeyPath`.
+
+</details>
+
+<details>
+<summary><strong>☸️ Kubernetes Deployment Considerations</strong></summary>
+
+When deploying in Kubernetes:
+
+1. **Persistent Storage**: Use a PersistentVolumeClaim for `AccountStoragePath` to preserve ACME accounts across pod restarts.
+2. **Cloud Provider Identity**: Leverage Workload Identity (GKE), IAM Roles for Service Accounts (EKS), or Pod Identity (AKS) for DNS provider authentication.
+
+**Example PersistentVolumeClaim:**
+```yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: acme-accounts
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+```
+
+</details>
+
 
 ## Gateway Registration